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INTRODUCTION 


DIGITALEUROPE, the voice of the digital technology industry in Europe, welcomes the opportunity to provide 
comments on the draft guidelines on transparency under Regulation 2016/679 (wp260) published by Article 29 
Working Party (WP29). We were closely engaged in the legislative debate and worked closely with policy makers 
in shaping the text, giving us insight into the intentions behind specific provisions. 


Our members are currently undertaking extensive efforts in order to implement the GDPR’s requirements. This 
includes reviewing the information they make available about their data processing practices, and of the 
mechanisms they use to communicate that information to data subjects. In light of these efforts, we appreciate 
the WP29 recommendations for how to put the GDPR’s transparency requirements into practice. 


DIGITALEUROPE is concerned, however, that some aspects of the WP29 guidelines are overly prescriptive and 
unduly infringe on the discretion that the GDPR affords controllers to make their own judgments about how to 
deliver transparency (controllers are accountable, of course, for these decisions). We are also concerned that 
aspects of the guidelines appear to go beyond the obligations imposed under the GDPR. 


Accordingly, and to address these concerns, we provide an analysis on some of the key aspect, which we believe 
should be considered in the final guidelines. 


A CLEARER ENDORSEMENT THAT CONTROLLERS HAVE THE DISCRETION — AND 
RESPONSIBILITY — TO DETERMINE HOW AND WHEN TO LAYER PRIVACY STATEMENTS 


We welcome the that WP29 recognise that data subjects can experience “information fatigue” (para 7), and we 
agree that “layered” privacy statements are essential to avoid this (para 7). It is important not to overload data 
subjects with too much detail; layering enables prioritisation. The practice of layering entails an exercise of 
discretion on the part of the controller, who must decide what information to include on each layer. The GDPR 
anticipates that controllers will be best placed to make such decisions — and makes controllers accountable for 
those decisions also. The guidelines should be clearer that controllers can ultimately make different decisions as 
to what information to include in a layer, or how to layer, based on the specifics of their processing, the 
expectations of the data subject, and other relevant factors. 
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ACKNOWLEDGE MORE EXPLICITLY THAT THERE ARE MULTIPLE WAYS CONTROLLERS CAN 
TEST THE INTELLIGIBILITY OF THEIR PRIVACY STATEMENTS 


The guidelines note that controllers can “demonstrate” that their privacy statements are “intelligible” for specific 
audiences through “user panels” (para 8; see also para 21). We agree that user panels and “hall tests” may be 
appropriate in some cases; however, this is a level of testing that is not required by the GDPR. The guidelines 
should more explicitly embrace alternative and more practical methods of demonstrating intelligibility, 
accessibility, such as the long-established Flesch-Kincaid readability test, and other similar yardsticks of readability 
and accessibility. Controllers should retain discretion as to which method — if any — to use in order to demonstrate 
notice intelligibility. 


AVOID OVERLY RESTRICTIVE INTERPRETATIONS OF “CLEAR LANGUAGE” 


The guidelines state that certain exemplar phrases about how data may be used (such as “we may use your 
personal data to,” “develop new services,” or “to offer personalised services,” for example) are “not sufficiently 
clear” (beneath para 11 in the guidelines). We strongly disagree with this position; there is nothing unclear about 
the use of data to improve products and services — indeed, this is a frequent practice today and there is no 
evidence presented in the guidelines that data subjects do not understand this use. Moreover, for reasons of 
business confidentiality, and because product and service innovation requires experimentation and development 
over time, it is difficult or even impossible to be fully precise about the exact service or product being researched 
or developed in advance. WP29 position would essentially prohibit normal, everyday use of data for 
straightforward purposes such as development of new features in software, or language personalisation tools on 
websites. We urge the WP29 to reconsider these examples. 


ACKNOWLEDGE THAT WORDS LIKE “MAY,” “MIGHT,” “SOME,” “OFTEN,” AND “POSSIBLE” 
ARE ACTUALLY FULLY APPROPRIATE IN SOME CASES 


The guidelines state that these words should “be avoided” categorically (para 12) — but this ignores scenarios 
where specific scenarios may lead to specific uses of data. For example, it would be confusing for an e-commerce 
website to tell data subjects that their data “would” be processed to determine their home delivery address for 
product deliveries in all cases — sometimes a collection point is used instead and the home delivery address is not 
required. In these cases, andin many others, the word “may,” or other words indicating some level of uncertainty, 
are still in our view appropriate. 


INTRODUCE A MODICUM OF MATERIALITY WITH RESPECT TO UPDATES TO PRIVACY 
STATEMENTS 


In other major global markets, changes to privacy statements must be notified where those changes are 
“material”. This threshold makes sense; otherwise, data subjects would be flooded with notifications of updates 
to privacy statements that have little or no bearing on them, and over time they are likely to simply ignore such 
notices. However, the guidelines recommend that “any subsequent changes” to privacy statements should be 
notified, and that all notifications should be made via “all measures necessary” (para 22). This is a recipe for 
“notice and update fatigue”. We recommend that the guidelines make clear that the more material the change 
to processing, the further controllers must go to ensure that all data subjects have been notified of the change. 
This approach would echo the approach taken by the WP29 in para 26, where the guidelines differentiate 
between changes that are “indicative of a fundamental change to the nature of processing” and those that are 
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not (we also do not agree that it is always “unfair” to ask data subjects to come back and re-read the privacy 
statement to check for changes; there are scenarios where controllers lack any direct means of contacting data 
subjects and so can take few other steps to bring changes to the attention of the data subject). 


CLARIFY THAT PUBLICATION OF COMPATIBILITY ANALYSES IS AN OPTION, BUT NOT A 
REQUIREMENT 


WP29 states that the principles of transparency, accountability and fairness require publication of the 
compatibility analysis (para 40). This is not a requirement under the GDPR; moreover, a technical analysis like this 
could make privacy statements difficult for laypersons, who are not familiar with data protection legal 
terminology, to understand. Data subjects have the ability to fully exercise their rights whether or not they have 
full information about the compatibility analysis performed, because under Art. 13(3) and 14(4) controllers must 
inform data subjects of relevant information whenever compatible secondary uses of data are carried out. 


RECONSIDER THE RECOMMENDATION THAT CUSTOMER SERVICE TEAMS SHOULD NOT BE 
THE PRIMARY POINT OF CONTACT FOR EXERCISE OF DATA SUBJECT RIGHTS 


The guidelines currently highlight that a privacy statement encouraging data subjects to exercise their rights 
through contacting customer service teams is a “poor practice example” (beneath para 48). Over the course of 
the last few years, our members have received significant numbers of data subject requests; our experience is 
that customer service teams are often best placed to receive and recognize these types of requests, and to 
distinguish them and escalate them appropriately. 


INTERPRET “DISPROPORTIONATE EFFORT” IN LINE WITH THE GDPR’S TEXT 


WP29 reasons that disproportionate effort can only apply where the effort is required only as a “directly 
connected” consequence “of the fact that the personal data was obtained other than from the data subject” 
(para 55). The GDPR does not limit the exception in this way, however; instead, the GDPR says that if the data is 
not collected from the data subject, so that Art. 14 applies, notification is not required if it involves 
“disproportionate effort.” It is certainly true that in many cases the increased effort may flow from the fact that 
the data was not collected directly from the data subject — but the guidelines should hew closer to the GDPR’s 
actual provisions here. The example provided — involving data collected over 50 years ago — also unrealistically 
narrows the exception beyond “disproportionate effort” scenarios actually encountered in practice, and should 
be amended to be more expansive. 


ELEMENTS OF THE SCHEDULE BE REVISITED 


The chart in the guideline’s schedule sets out several positions that appear to go beyond the requirements of the 
GDPR. For example, the chart states that the GDPR requirement to disclose the “recipients (or categories of 
recipients) of personal data” (set out in Art. 13.1(e)) should be interpreted so that the “default position” is that 
all recipients should be specifically named in privacy notices, and that controllers should otherwise have to be 
prepared to demonstrate why the alternative of providing only categories of recipient is “fair”. However, the 
GDPR says nothing about this “fairness” test — instead, it explicitly states that recipients, or categories of 
recipients, may be disclosed. The chart should be revised to be more closely aligned with the actual language of 
the GDPR. Similarly, the GDPR requires disclosure of the legitimate interest used to justify processing where 
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applicable (under Art. 13.1(d)), but the chart suggests that the balancing test associated with that legitimate 
interest should also be disclosed. Clarifying revisions to this statement would also be welcomed. 


Finally, according to Art. 13.2 (b), 14.2 (c) GDPR every data controller has to provide information on the rights of 
the data subject to access, rectify, erase. According to the guidelines, this information needs to include a summary 
of what the right involves and how the data subject can take steps to exercise it. It may be worth considering 
whether to offer a webpage with all the required information in every EU officially spoken language. By providing 
such standardized information by an official source, it could be avoided that every controller provides slightly 
distinct information and ensured that the language is as clear and plain as required and necessary. In their data 
privacy notices the controllers could then simply name the rights and link to the official webpage (saving tons of 
paper by the way). Linking to the information could furthermore prevent information fatigue rather than the data 
subject having to scroll through large amounts of text searching for particular issues. Such an approach would 
also meet the interest of the WP29 of layered privacy statements. 


For more information please contact: 
Iva Tasheva, DIGITALEUROPE’s Policy Manager 
+32 2 609 53 10 or iva.tasheva@digitaleurope.org 
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ABOUT DIGITALEUROPE 


DIGITALEUROPE represents the digital technology industry in Europe. Our members include some of the world's largest IT, 
telecoms and consumer electronics companies and national associations from every part of Europe. DIGITALEUROPE wants 
European businesses and citizens to benefit fully from digital technologies and for Europe to grow, attract and sustain the 
world's best digital technology companies. DIGITALEUROPE ensures industry participation in the development and 
implementation of EU policies. 


DIGITALEUROPE’s members include in total 25,000 ICT Companies in Europe represented by 60 corporate members and 37 
national trade associations from across Europe. Our website provides further information on our recent news and activities: 
http://www.digitaleurope.org 





DIGITALEUROPE MEMBERSHIP 


Corporate Members 


Adobe, Airbus, Amazon, AMD, Apple, Bose, Brother, Canon, Cisco, Dell, Dropbox, Epson, Ericsson, Fujitsu, Google, Hewlett 
Packard Enterprise, Hitachi, HP Inc., Huawei, IBM, Intel, JVC Kenwood Group, Konica Minolta, Kyocera, Lenovo, Lexmark, LG 
Electronics, Loewe, Microsoft, Mitsubishi Electric Europe, Motorola Solutions, MSD Europe Inc., NEC, Nokia, Nvidia Ltd., Océ, 
Oki, Oracle, Panasonic Europe, Philips, Pioneer, Qualcomm, Ricoh Europe PLC, Samsung, SAP, SAS, Schneider Electric, Sharp 
Electronics, Siemens, Sony, Swatch Group, Tata Consultancy Services, Technicolor, Texas Instruments, Toshiba, TP Vision, 
VMware, Western Digital, Xerox, Zebra Technologies. 


National Trade Associations 





Austria: |OO France: AFNUM, Syntec Numérique, Romania: ANIS, APDETIC 

Belarus: INFOPARK Tech in France Slovakia: ITAS 

Belgium: AGORIA Germany: BITKOM, ZVEI Slovenia: GZS 

Bulgaria: BAIT Greece: SEPE Spain: AMETIC 

Croatia: Croatian Chamber of Hungary: IVSZ Sweden: Foreningen 

Economy Ireland: TECHNOLOGY IRELAND Teknikféretagen i Sverige, 

Cyprus: CITEA Italy: Anitec-Assinform IT&Telekomféretagen 

Denmark: DI Digital, IT-BRANCHEN Lithuania: INFOBALT Switzerland: SWICO 

Estonia: ITL Netherlands: Nederland ICT, FIAR Turkey: Digital Turkey Platform, ECID 

Finland: TIF Poland: KIGEIT, PIIT, ZIPSEE Ukraine: IT UKRAINE 
Portugal: AGEFE United Kingdom: techUK 
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